FTC Issues Settlement Requiring Zoom to Implement Robust Information Security Program in Response to Years of Deceptive Security Practices
On November 9, 2020, the Federal Trade Commission (FTC) announced a settlement agreement with Zoom Video Communications, Inc. (Zoom) that arose from alleged violations that Zoom engaged in a series of deceptive and unfair practices that undermined user security.
The FTC found that Zoom made several representations across its platform regarding the strength of its privacy and security measures used to protect users’ personal information that were untrue and provided users with a false sense of security. Specifically, the FTC found that Zoom made multiple statements regarding “end-to-end” and “AES 256-bit” encryption used to secure videoconference communications. However, Zoom did not provide end-to-end encryption for any Zoom meeting conducted outside of Zoom’s “Connecter” product. And, Zoom used a lower level of encryption that did not provide for the same level of security as “AES 256-bit” encryption. The FTC also found that Zoom stored meeting recordings unencrypted and for a longer period than Zoom claimed in its Security Guide. And, Zoom circumvented browser privacy and security safeguards through software updates without notice to users and without establishing replacement safeguards.